HKUBS_Standard_Coloured_Shield_Blue_Text_Logo - 380
  • Global Presence
  • About Us
        • About us about us
        • A Premier Business School in Asia with Global Influence
        • Overview
          • Message from the Dean
          • Vision & Mission
          • Milestones
          • Partnerships & Global Network
          • Beta Gamma Sigma HKU Chapter
          • Rankings & Accreditations
          • Corporate Collaboration
        • Leadership
          • Faculty Management
          • International Advisory Council
        • Our Stories
        • Contact Us
        • Staff Portal
        • Campuses
  • Programmes
        • Programmes programmes
        • Diversified Learning Experience Empowers our Students
        • Undergraduate
        • Masters
          • MAA
          • MAcct
          • MCGRM
          • MEcon
          • MFWM
          • MFin
          • MFFinTech
          • MGM
          • MSAF
          • MSc(BA)
          • MScMktg
          • MWM
        • MBAs & EMBAs
          • MBA
          • IMBA
          • HKU EMBA
        • PhD
        • Executive Education
        • DBA
  • People
        • People people
        • International Faculty Body that Offers Quality Education
        • Faculty
        • Post-Doctoral Fellows
        • Demonstrators/ Teaching Assistants
        • Research Postgraduate Students
        • Administration
  • Research
        • Research research
        • Lead the Frontier of Knowledge Creation
        • Thought Leadership
          • Latest Research Publications
          • HKEJ Column
          • FT Chinese Column
          • In the Media
        • Academic Areas
        • Faculty Members
        • Research Grants
        • Seminars & Conferences
          • Edward K Y Chen Distinguished Lecture Series
        • Research Centres & Institutes
        • Hong Kong Macroeconomics Forecast
        • HKU Knowledge Exchange
        • HKU Scholars Hub
        • Shenzhen Research Institutes
  • Events
  • Media
        • Media media
        • Inspire the Society and Community with Rigorous Insights
        • School News
        • In the Media
        • Press Release
  • Career
        • Career career
        • Fostering Strategic Partnerships and Talent Development
        • Recruit our Talents
        • Student Career Development
        • Career Opportunities
          • Faculty Recruitments
          • HKU Career Site
  • 繁
  • 简
Type To Search
HKUBS_Standard_Coloured_Shield_Blue_Text_Logo - 380
Type To Search
  • Global Presence
  • About Us
        • About us about us
        • A Premier Business School in Asia with Global Influence
        • Overview
          • Message from the Dean
          • Vision & Mission
          • Milestones
          • Partnerships & Global Network
          • Beta Gamma Sigma HKU Chapter
          • Rankings & Accreditations
          • Corporate Collaboration
        • Leadership
          • Faculty Management
          • International Advisory Council
        • Our Stories
        • Contact Us
        • Staff Portal
        • Campuses
  • Programmes
        • Programmes programmes
        • Diversified Learning Experience Empowers our Students
        • Undergraduate
        • Masters
          • MAA
          • MAcct
          • MCGRM
          • MEcon
          • MFWM
          • MFin
          • MFFinTech
          • MGM
          • MSAF
          • MSc(BA)
          • MScMktg
          • MWM
        • MBAs & EMBAs
          • MBA
          • IMBA
          • HKU EMBA
        • PhD
        • Executive Education
        • DBA
  • People
        • People people
        • International Faculty Body that Offers Quality Education
        • Faculty
        • Post-Doctoral Fellows
        • Demonstrators/ Teaching Assistants
        • Research Postgraduate Students
        • Administration
  • Research
        • Research research
        • Lead the Frontier of Knowledge Creation
        • Thought Leadership
          • Latest Research Publications
          • HKEJ Column
          • FT Chinese Column
          • In the Media
        • Academic Areas
        • Faculty Members
        • Research Grants
        • Seminars & Conferences
          • Edward K Y Chen Distinguished Lecture Series
        • Research Centres & Institutes
        • Hong Kong Macroeconomics Forecast
        • HKU Knowledge Exchange
        • HKU Scholars Hub
        • Shenzhen Research Institutes
  • Events
  • Media
        • Media media
        • Inspire the Society and Community with Rigorous Insights
        • School News
        • In the Media
        • Press Release
  • Career
        • Career career
        • Fostering Strategic Partnerships and Talent Development
        • Recruit our Talents
        • Student Career Development
        • Career Opportunities
          • Faculty Recruitments
          • HKU Career Site
HKUBS_Standard_Coloured_Shield_Blue_Text_Logo - 380
  • Global Presence
  • About Us
    • Overview
      • Message from the Dean
      • Vision & Mission
      • Milestones
      • Partnerships & Global Network
      • Beta Gamma Sigma HKU Chapter
      • Rankings & Accreditations
      • Corporate Collaboration
    • Leadership
      • Faculty Management
      • International Advisory Council
    • Our Stories
    • Contact Us
    • Staff Portal
    • Campuses
  • Programmes
    • Undergraduate
    • Masters
      • MAA
      • MAcct
      • MCGRM
      • MEcon
      • MFWM
      • MFin
      • MFFinTech
      • MGM
      • MSAF
      • MSc(BA)
      • MScMktg
      • MWM
    • MBAs & EMBAs
      • MBA
      • IMBA
      • HKU EMBA
    • DBA
    • PhD
    • Executive Education
  • People
    • Faculty
    • Post-Doctoral Fellows
    • Demonstrators/ Teaching Assistants
    • Research Postgraduate Students
    • Administration
  • Research
    • Thought Leadership
      • Latest Research Publications
      • HKEJ Column
      • FT Chinese Column
      • In the Media
    • Academic Areas
    • Faculty Members
    • Research Grants
    • Seminars & Conferences
      • Edward K Y Chen Distinguished Lecture Series
    • Research Centres & Institutes
    • Hong Kong Macroeconomics Forecast
    • HKU Knowledge Exchange
    • HKU Scholars Hub
    • Shenzhen Research Institutes
  • Events
  • Media
    • School News
    • In the Media
    • Press Release
  • Career
    • Recruit our Talents
    • Student Career Development
    • Career Opportunities
      • Faculty Recruitments
      • HKU Career Site

Thought Leadership

Home Research Thought Leadership

Cybersecurity Nightmares and How To Avoid Them

May 2023
Share on TwitterShare on FacebookShare on WhatsappShare on LinkedInShare on Email

One bad morning

Imagine you’re a successful executive at a large IT company. You’re in charge of security. Your decade-old firm is well established, selling complex, popular IT solutions to large corporations and government bodies. It’s an ordinary Saturday morning, you’re having your coffee and your phone rings. The caller informs you that your company has been subject to a massive cyberattack. Your company’s systems are compromised, and, worse, so are those of your customers. It’s your “nightmare moment”.

This sounds like a movie plot, but it actually happened to a US-based company called SolarWinds in late 2020. In what was one of the largest, most meticulous and most sophisticated cyberattacks in history, operatives inserted a trojan horse (which disguises itself as a harmless file but has malicious code inside) into the update of SolarWind’s Orion software – used by corporations, government entities and other organisations to monitor and manage their own IT systems. Such was the intricacy of the attackers’ method, an expert likened it to a razor blade being secretly inserted into candy just before the package is sealed inside the candy factory – no-one would think anything was amiss.

The software then lay dormant for around two weeks before springing to life, taking control of computers and, in some cases, stealing highly important and sensitive files and disguising the transfers as ordinary network traffic to evade detection – which the hack did successfully for upwards of nine months before being discovered. In the meantime, top-level US Treasury Department emails were accessed, the Justice Department and other federal departments were breached, and prominent institutions around the world including the European Parliament, Britain’s Home Office, Boeing, AstraZeneca, and Los Alamos National Laboratory were all targeted.

The damage caused, both financial and security-related, was extreme – the perpetrators covered their tracks and removed evidence so effectively that the only fix was often to rebuild entire IT systems from the ground up.

 

Finding a way to measure cybersecurity risk

The SolarWinds attack catapulted cybersecurity issues into the headlines and had IT departments in firms everywhere scrambling to improve their defences. It also caught the attention of The University of Hong Kong’s Roni Michaely; Chris Florackis (University of Liverpool), Christodoulos Louca (Cyprus University of Technology), and Michael Weber (University of Chicago), who were studying how cybersecurity risks affect the value of companies. The news galvanised their work and eventually led to the publication of their paper, titled: “Cybersecurity Risk” in the prestigious Review of Financial Studies journal.

Michaely et al. sought to achieve two aims: Propose a way to measure cybersecurity risk for all listed companies in the US; and to see if cybersecurity risk is priced into the companies’ stock returns.

Their measurement was built on two ideas: the first being that firms hit by cyberattacks had actually been more vulnerable to these attacks before the event and that they had expressed this heightened risk in their corporate disclosures. The second was that firms with similar levels of cybersecurity risk will describe these risks in similar ways.

The team devised a web-crawling algorithm that extracted text relating to cybersecurity risks in firms’ 10-K forms from 2007 to 2018. Filed every year by publicly-traded companies in the US, 10-Ks are more than mere forms – they are complicated, comprehensive reports that provide an overview of a business, its risk factors, selected financial data, discussion and analysis by management of the company’s results, as well as financial statements and other data.

They then identified firms that were subject to a major cyberattack to create a training sample. By scanning both cybersecurity risk disclosures and news reports, they found 69 major cyberattacks that had occurred between 2005 and 2018. By comparing the wording in the relevant parts of the 10-K risk disclosure section of the attacked firms with those of all other firms, they concluded that “firms that use similar words to describe their risk exposure and exposure management exhibit similar levels of cybersecurity risk”.

Here was the cybersecurity risk measure: The higher the measured similarity in cybersecurity risk disclosures made by firms, the greater their general exposure to cybersecurity risk. Firms with high scores tended to extensively discuss risk in their 10-K forms – revealing previous cyberattacks or attempts, or admitting to the difficulties involved in defending against these risks – while firms with low scores either believed that their preventative measures had mitigated cybersecurity risks, or did not even include a separate cybersecurity section in their 10-Ks.

 

Validating the findings

The team validated their findings in several ways. They found that firms with higher scores provided “lengthier and more comprehensive cybersecurity risk disclosures in their 10-Ks, discuss[ed] legal consequences associated with cybersecurity risk, use[d] more precise language, and use[d] more negative words in their discussions, which potentially lowers their exposure to litigation risk”. These high-scoring firms also actively managed their risk exposure by taking action like purchasing cyber insurance policies.

Most directly, the risk measure was validated by the fact that firms with higher cybersecurity risk scores were more likely to experience a future cyberattack. They found that “a one-standard-deviation increase in [their] cybersecurity risk score increases the probability of a future cyberattack by 92.70%”, adding that “This predictability is reassuring and provides direct evidence that our measure reliably captures firms’ exposure to cybersecurity risk.”

Essentially, the more that firms are concerned about and disclose cybersecurity risks, the more at risk they are – meaning their measure can actually predict cyberattacks!

 

Are cybersecurity risks priced into stocks?

In the second part of their paper, the team used the measure to examine whether cybersecurity is priced in to stock returns; theorising that the higher a firm’s exposure to cyberattacks, the greater the return expected by investors.

To determine this, they sorted stocks into portfolios based on their cybersecurity risk scores and then tracked their returns over time. They found that a portfolio that held on to stocks in firms with higher cybersecurity risk and sold stocks with a low such risk earned an excess return of over 8% per year. After checking these results by sorting them in numerous other ways – including by firm size, book-to-market ratio, profitability, institutional ownership, illiquidity, idiosyncratic volatility, risk section length, and 10-K readability – they determined that this excess return remained valid.

After running yet more statistical tests, a strong positive relationship between cybersecurity risk and stock returns was not only found, but determined to predict stock returns up to a year into the future. Finally, they executed an economic significance test – if risk is truly priced into stock returns, they theorised, then “high cybersecurity risk stocks should perform poorly and significantly worse than low cybersecurity risk stocks on the days when cybersecurity risk concerns materialize”.

They sorted stocks into groups based on market value, then into groups based on their risk measure; and then calculated daily returns mimicking a cybersecurity risk factor from 2008-2019. Using daily search volume index data from Google Trends, they identified days when there was increasing attention to cybersecurity risk by looking at spikes in the use of words like “hacker” and “data breach”. After a lot of regression analysis, they determined with confidence that according to this model, firms with high cybersecurity risk generally earn high returns, but “perform poorly on days with heightened concerns about cybersecurity” – this shows without a doubt that cybersecurity risk is priced into returns – thus compensating investors for their elevated level of risk.

 

Helping thwart future attacks

Concluding with a flourish, Michaely and his partners used the SolarWinds hack to provide additional evidence for both parts of their paper. They found that firms with higher forecast cybersecurity risk scores saw negative returns around the time of the SolarWinds incident; they also found that the cybersecurity risk measure they devised was positively associated with the probability of being in the group of firms affected by the attack – i.e. those that the measure identified as having a higher cybersecurity risk beforehand were more likely to have been hacked.

Their work has opened a number of doors to new research into the very real and very worrying field of cyberattacks. A highly non-scientific glance at today’s headlines reveals recent attacks across the world: Indigo Books & Music in Canada was hit in early February 2023, knocking their website and payment methods offline. The Indonesian unit of Australia’s Commonwealth Bank just experienced “unauthorised access of a web-based software application used for project management”, while cyberattacks have crippled a major hospital in Barcelona, Spain, an Israeli university and Northern Essex Community College near Boston. Horrifically, hackers also appear to have distributed photos of cancer patients undergoing treatment. These were stolen from a Pennsylvania health group in a ransomware attack, in which hackers steal sensitive photos or files and threaten to publish them unless they are paid.

Truly a “nightmare scenario” for companies and society at large.

Michaely et al.’s cybersecurity risk measure and its underlying methodology will help enable the systematic analysis of cybersecurity risk and its implications for firms in terms of their value, corporate policies and operations. In turn this will help boost cyber-defences around the planet and make the online world a little safer for all of us.

 

About this Research

Chris Florackis, Christodoulos Louca, Roni Michaely and Michael Weber. Cybersecurity Risk, The Review of Financial Studies, Volume 36, Issue 1, January 2023, Pages 351–407

Read the original article

 

References

Brown, L., (March 8, 2023). ‘Russian hackers post nude photos of US cancer patients to dark web in sick extortion plot’. New York Post. https://nypost.com/2023/03/08/russian-hackers-post-nude-photos-of-us-cancer-patients-to-dark-web/

Fama, E. F., and J. D. MacBeth. 1973. Risk, return, and equilibrium: Empirical tests. Journal of Political Economy 81:607–36.

Florackis, C., Louca, C., Michaely, R., and M. Weber. 2023. Cybersecurity risk. The Review of Financial Studies, 36(1), 351-407.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. Fireeye (December 13, 2020). Retrieved March 8, 2023 from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Hvistendahl, M., Lee, M., Smith, J., (December 17, 2020). ‘Russian Hackers Have Been Inside Austin City Network for Months’. The Intercept. https://theintercept.com/2020/12/17/russia-hack-austin-texas/

Kenton, W., (April 18, 2022). 10-K: ‘Definition, What’s Included, Instructions, and Where to Find it’. Investopedia. https://www.investopedia.com/terms/1/10-k.asp

Loughran, T., and B. McDonald. 2011. When is a liability not a liability? Textual analysis, dictionaries, and 10-Ks. Journal of Finance 66:35–65.

One month after cyberattack hit, what’s next for Indigo?. CTV News (March 8, 2023). Retrieved March 8, 2023 from https://www.ctvnews.ca/business/one-month-after-cyberattack-hit-what-s-next-for-indigo-1.6303819

Schwartz, S., (October 26, 2021). ‘A conversation with SolarWinds’ CISO. Cybersecurity Dive.  https://www.cybersecuritydive.com/news/solarwinds-ciso-tim-brown-leadership/608847/

Temple-Raston, D., (April 16, 2021). ‘A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack’. NPR. https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Timberg, C. and Nakashima, N., (December 14, 2020). ‘Russian hack was ‘classic espionage’ with stealthy, targeted tactics’. The Washington Post. https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/

Solving the Coupon ConundrumMay 2023
Getting the best out of the gig economyMay 2023
Trending
Carbon-Transition Risk and Net-Zero Portfolios
Carbon-Transition Risk and Net-Zero Portfolios
Key Takeaways Net-zero portfolios (NZPs), managing over $130 trillion USD in assets, align financial performance with climate goals. These portfolios reward firms that actively reduce emissions while excluding those lagging behind, driving market incentives for decarbonization. The study introduces distance to exit (DTE), a forward-looking metric that measures a firm’s risk of exclusion from NZPs based on its carbon footprint and decarbonization efforts. Firms with higher DTEs—seen as safer from exclusion—tend to have higher valuations but lower expected returns, highlighting the market’s pricing of carbon-transition risks. DTE serves as both a risk measure and a catalyst for action, incentivizing firms to accelerate decarbonization to remain in NZPs, while enabling portfolios to achieve up to 95% reductions in carbon intensity without sacrificing sector diversification. Source Publication: 
10 Jan 2025
Research
Trade, Trees, and Lives
Trade, Trees, and Lives
Key Takeaways The agricultural export value of Brazil has quadrupled over the last two decades due to rising global demand. Brazil’s agricultural export boom drives deforestation: between 1997 and 2019, trade-induced agricultural expansion led to the loss of 3.6 million hectares of forest. Trade-induced deforestation causes severe health consequences: it results in over 700,000 premature deaths, primarily from cardio-respiratory diseases linked to pollution from deforestation in upwind areas. The economic cost of these deaths is estimated at $513 billion USD—about 18% of Brazil’s total agricultural export value during the same period. These findings highlight the negative health impacts of trade-induced deforestation and the resulting regional inequality, because mortality costs and economic benefits are not always shared by the same populations. Source Publication: 
8 Jan 2025
Research
MichaelyR_HD April 2020
About Author
Prof. Roni MICHAELY

Associate Dean (Global Engagement)

Sign up for upcoming news and events
LinkedIn WeChat Instagram Facebook Weibo Twitter YouTube

©2025, HKU Business School. All Rights Reserved. | Privacy Policy | Web Accessibility Statement